malwarewikiaorg-20200223-history
Alpha
Alpha is a ransomware that runs on Microsoft Windows. It was discovered by Katja Hahn, S!Ri, MalwareHunterTeam, and Michael Gillespie. Payload When this ransomware infects the user's computer, it will place the main executable at %APPDATA%\Windows\svchost.exe and create an autorun called Microsoft. This autorun allows the ransomware to continue the encryption process if the computer is rebooted. This ransomware executable will automatically be removed after the ransomware finishes encrypting the victim's data. This ransomware has somewhat of a bizarre encryption routine. On the computer's SystemDrive, which is usually the C: drive, it will only encrypt certain file types in the Desktop, My Pictures, and Cookies folders. All other folders on the SystemDrive will not be encrypted. The targeted file types for the SystemDrive are: .3ds, .3fr, .3pr, .ab4, .ac2, .accdb, .accde, .accdr, .accdt, .acr, .adb, .agd1, .ai, .ait, .al, .apj, .arw, .asm, .asp, .aspx, .awg, .backup, .backupdb, .bak, .bat, .bdb, .bgt, .bik, .bkp, .blend, .bmp, .bpw, .c, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmd, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .css, .csv, .dac, .db, .db3, .dbf, .db-journal, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .der, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dwg, .dxb, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fpx, .fxg, .gif, .gray, .grey, .gry, .h, .h, .hbk, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iiq, .incpas, .jar, .java, .jpeg, .jpg, .js, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdb, .mdc, .mef, .mfw, .mmw, .moneywell, .mos, .mpg, .mrw, .myd, .ndd, .nef, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx1, .nx2, .nyf, .odb, .odf, .odg, .odm, .odp, .ods, .odt, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pat, .pcd, .pdf, .pef, .pem, .pfx, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps, .psafe3, .psd, .ptx, .py, .ra2, .raf, .raw, .rdb, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .sav, .sd0, .sd1, .sda, .sdf, .sldm, .sldx, .sln, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .txt, .vb .vbs, .wb2, .x3f, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra On all other fixed disks, and not network or removable drives, it will encrypt any file it finds, including executables. When encrypting the data it will use AES-256 encryption and append the .encrypt extension to the name of the encrypted file. For example, test.jpg will become test.jpg.encrypt. During the encryption process, the ransomware will create ransom notes called Read Me (How Decrypt) !!!!.txt in each folder a file is encrypted. The text of this ransom note is: Greetings, We'd like to apologize for the inconveniences, however, your computer has been locked. In order to unlock it, you have to complete the following steps: 1. Buy iTunes Gift Cards for a total amount of $400.00 2. Send the gift codes to the indicated e-mail address 3. Receive a code and a file that will unlock your computer. Please note:, - The nominal amount of the particular gift card doesn't matter, yet the total amount have to be as listed above. - You can buy the iTunes Gift Cards online or in any shop. The codes must be correct, otherwise, you won't receive anything. - After receiving the code and the security file, your computer will be unlocked and will never be locked again. Sorry for the inconveniences caused. Due to a bug in the software, the email addresses that the user is supposed to send payment to are not supplied. These are: criptote@hmamail.com referas@hmamail.com terder@hmamail.com utera@hmamail.com criptotak@hmamail.com Alpha will then change the wallpaper. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows